Microsoft's new(ish) cloud-based SIEM, Azure Sentinel, is a powerful solution that lets you collect security data cross an entire organization including devices, users, apps, servers in any cloud - which means that there are a lot of working parts.
When I first looked at the management page, I was confused by the fact that many of the terms are so similar. There are Workbooks. There are Playbooks. And there are Notebooks. What's a girl to do?
After spending some time with the tool, and learning how to use it I decided to publish my thoughts on the best ways to look at these features. Today we're going to talk about workbooks.
Workbooks
A workbook is really nothing more than a dashboard. In fact, in an earlier iteration of Sentinel, they were actually called Dashboards. You use Workbooks to view insights gathered from data collected from various sources. They're kind of like a canvas that you can use to paint the data you want to see at a glance.You may think - Ugh. What do I need another dashboard for? But in the world of secops, dashboards and other data visualizations provide the ability to view data trends and anomalies which help you spot when something is amiss.
Workbooks have tons of possibilities. You can do everything from simple data presentation, to complex graphing and investigative maps. With Workbooks, you can include text, charts, grids and graphs to help visualize the data in the most effective way for you.
Sentinel provides a collection of out-of-the-box workbooks like the ones for Azure AD Sign-in logs or F5 or Palo Alto. You can also create your own. There is also a fantastic GitHub repository where people share workbooks, hunting queries and much more.
The real power of Workbooks is the ability to combine data from disparate sources within a single report. This allows for the creation of composite resource views or joins across resources enabling richer data and insights that would otherwise be impossible.
Let's take a look at one of the out-of-the-box Workbooks. Below is a screenshot of the Azure AD Sign-in logs. You can see that the report lists out Sign-ins by Location, Sign-ins by Device and the number of Sign-ins using Conditional Access.
By looking at the report, we can see that 312 people are logging in from India. Maybe this is perfectly normal. But maybe we don't expect anyone to log in from India, so this is something we need to investigate. Other important information might be that in Sign-ins by Device, we see that we have six log ins from a Windows 7 machine. Wait a second! We thought we had retired all the Windows 7 machines.
Again, this just gives an easy visual representation of things that might need further investigation.
